Tags in Social Tags

How to implement a secure session management system in PHP (and generally)?

Developers, especially unexperienced PHP developers, have a tendency to not care much care about security-related issues. This is true for the problem of secure sessions, too - and the reason why attackers of a certain website or service can easily hijack sessions to get access to data, which they should not have access to.
Because HTTP is a stateless protocol, sessions are required to identify a certain client on multiple requests. In PHP this identification is done via "session IDs", which are exchanged by the client and the webserver on each request (the session ID may be stored as a Cookie, in the URL or hidden field). The server stores the session ID locally to identify a certain client if the session ID is available in a certain request.
If an attacker is able to steal the session ID of a certain client, the server will "think", that the attacker is the client. As a result, the attacker will be able to do everything, the client is allowed to do.
How do I implement a session management system in PHP (and generally), which is more secure and more protected against "session hijacking" attempts?

The following four problems can be identifiyed when using native PHP sessions (and these can be partly solved):

Problem 1: The session ID is the only thing, which is being used to identify a clientSolution 1: Use additional information about your client, to improve chances, that the identifiyed client is honestly the correct one (e.g. Client IP Adresss (be aware of proxies), Client User Agent, ...)

Problem 2: The process of generating client IPs can be reproduced by an attackerSolution 2: Use a secure mechanism to generate your session IDs, which is not reproducible

Problem 3: Sessions exist longer than they should (which makes attackes easier)Solution 3: Instant destruction of session ID if the server suspects that there might be something going wrong

Problem 4: Sessions IDs may be stolen using malicious JavaScriptSolution 4: Use only session cookies and make your cookie HTTP-only

The following PHP is a solution approach to make a secure session management in PHP:

} else {
// if we have to create a new session, we do it in a secure, self-defined way
self::destroy_session_absolute();
self::session_regenerate_save_id();
session_start();
self::setSessionClientIP();
self::setSessionClientAgent();
$_SESSION['last_activity'] = time();
}
}